chore(deps): bump @e4a/pg-js to ^1.5.0

[rubenhensen]

Picks up encryption4all/postguard-js#52 (resumable downloads via Range on transient failures) and #47 (chunk PUT retry/backoff with exponential jitter, surfacing of `UploadSessionExpiredError`). Skips 1.4.0 in passing — same SDK lineage, single bump grabs both.

Public-API note

pg-js's `downloadFileWithRetry` now returns the `ReadableStream` synchronously instead of wrapping it in a Promise. The addon does not call that function directly — it consumes pg-js via `PostGuard.open()` / `Opened.decrypt()`, which is unchanged. No addon-side code change needed.

Stream-level errors that previously surfaced as a Promise rejection from `await downloadFileWithRetry` now surface on the consumer's first `read()`. Since the addon's only access path is through `Opened.decrypt()`, those errors continue to propagate via the surrounding `await`.

Test plan

• `npm install` — resolves to 1.5.0
• `npx tsc --noEmit` clean
• `npx vitest run` — 21 passed (108 todo, pre-existing)
• `npm run build` — Build complete
• Manual: load the addon in Thunderbird against dev cryptify, send + receive an encrypted message and confirm decryption works end-to-end

[rubenhensen]

/dobby please review this dependency bump

[dobby-coder]

Dobby sees the request! Dobby will check the pg-js bump, verify the lockfile resolution, validate the API note about the synchronous ReadableStream, and confirm tests/build pass. Dobby will be back with findings shortly.

[dobby-coder]

Review summary — LGTM ✅

This bumps @e4a/pg-js from ^1.3.0 → ^1.5.0, picking up postguard-js #47 (chunk PUT retry + exponential backoff, UploadSessionExpiredError) and #52 (Range-based resumable downloads). Both upstream PRs are merged to pg-js main.

Verified locally

• package-lock.json resolves @e4a/pg-js@1.5.0 with a valid integrity hash.
• npm install clean, no advisories.
• npx tsc --noEmit passes.
• npx vitest run — 21 passed, 108 todo (pre-existing baseline).
• npm run build — Build complete.
• CI build job is green; release correctly skipped (no version tag).

API-impact verification

The PR body claims the addon is unaffected by the upstream signature change to downloadFileWithRetry (now returns ReadableStream synchronously instead of Promise<ReadableStream>). I confirmed this:

• The addon only imports from pg-js: PostGuard, DecryptDataResult, DecryptFileResult (yivi-popup.ts) and buildMime, extractCiphertext, extractUploadUuid, injectMimeHeaders (background.ts). No direct downloadFileWithRetry call.
• Decryption goes through pg.open({...}).decrypt(...) (yivi-popup.ts:161-177), which is awaited. Stream-level read errors propagate through that await as before.
• Internally, pg-js's decrypt.ts now wraps the synchronous ReadableStream inside Promise.all — non-thenable values are passed through unchanged, so the call site is still correct.

Notes

• The unchecked manual end-to-end Thunderbird test in the test plan is the only remaining item; everything else automated is green.
• No transitive dep red flags.

Recommend: ready for merge once the manual TB roundtrip is done.

[rubenhensen]

Thanks @dobby-coder for the approval. Manual TB roundtrip against dev cryptify before merge — flagged in the test plan, will run before flipping.

[rubenhensen]

@rubenhensen all dobby checks green — ready for your review and merge when you've run the manual smoke tests called out in the test plan.